Search form

Hackers Can Steal ATM PINs Through Smartwatches or Fitness Trackers, New Study Warns

"Wearable devices can be exploited."

Tech experts have recently advised putting a piece of tape over laptop webcams following cases of hackers accessing them and blackmailing people with private footage, but the risks don’t stop at computers.

Now, researchers from Binghamton University and the Stevens Institute of Technology warn that wearable devices, like smartwatches and fitness trackers, may also be at risk of being hacked.

In a new paper, which received the “Best Paper Award” at the at the 11th annual Association for Computing Machinery Asia Conference on Computer and Communications Security (ASIACCS), the scientists outline how they used data from wearable devices and a computer algorithm to crack private PINs and passwords.

"Wearable devices can be exploited," co-author Yan Wang, assistant professor of computer science at Binghamton University, said in a press release. "Attackers can reproduce the trajectories of the user's hand then recover secret key entries to ATM cash machines, electronic door locks and keypad-controlled enterprise servers."

Basically, hackers could record users’ hand movements as they keyed in their private PINs and passwords, and with the help of a computer algorithm, they’d be able to access that information.

In the study, the researchers conducted 5,000 key-entry tests on three key-based security systems, including an ATM, and monitored the hand movements of 20 adults wearing wearable technologies over a period of 11 months.

Wearable technologies contain accelerometers, gyroscopes, and magnetometers to help orient the devices and measure acceleration and magnetic forces. However, by recording fine-grained hand movements from these features, the researchers were able to record millimeter-level information, regardless of how the hand was positioned. With this information, they were able to estimate distance and direction between consecutive keystrokes, eventually breaking the PIN codes and passwords with alarming accuracy.

On the first try, the researchers reported an 80-percent accuracy in breaking the codes, and after three tries, they achieved more than a 90-percent accuracy. The team says that this is the first study that has shown personal PINs and passwords can be hacked from wearable devices without the need for contextual information.

"The threat is real, although the approach is sophisticated," Wang added.

Unfortunately, the team doesn’t yet have a solution for the problem, but they suggest that wearable tech developers "inject a certain type of noise to data so it cannot be used to derive fine-grained hand movements, while still being effective for fitness tracking purposes such as activity recognition or step counts.”